Biometrics Implementation

Biometrics Implementation

Q. What captures biometric characteristics?

For recording and converting biometric characteristics to usable computer data, one needs a biometric capture device with an appropriate sensor (see table). Of course, costs can greatly vary for different sensors. However, we can't forget that many technical devices already have sensors built in, and therefore, offer possibilities to measure biometric characteristics nearly free of cost.

Biometric characteristic

Sensor

Fingerprint (Minutia)

capacitive, optic, thermal, acoustic, pressure sensitive

Signature (dynamic)

Tablet

Facial Structure

Camera

Iris pattern

Camera

Retina

Camera

Hand geometry

Camera

Finger geometry

Camera

Vein structure of the the hand

Camera (infrared)

Ear form

Camera

Voice (Timbre)

Microphone

DNA

Chemical Lab

Odor

Chemical sensors

Keyboard Strokes

Keyboard

Comparison: Password

Keyboard

Q. What makes up a biometric authentication system?

A basic biometric system is made up of:

a sensor to capture the biometric characteristic

a computer unit to process and eventually save the biometric data

an application, for which the user's authentication is necessary

In detail, the processing unit comprises (see also biometric recognition)

a "feature extraction unit" which filters the uniqueness data out of the raw data coming from the sensor (called biometric sample) and combines them into the biometric feature,

a "comparator" which compares the biometric features with the biometric reference and delivers a "score" value as result,

and a "decision unit" which takes the score value (or values) as well as the threshold to derive a two-valued decision (authorized or non-authorized).

Q. What computation speeds are required by a biometric authentication system?

Generally, computation speeds adequate for pattern recognition [Wikipedia] are required. This is about 100 million operations per second, which have been attained by affordable hardware (PC, DSP [Wikipedia]) since about 1998.

Q.How do enrolment and biometric authentication work?

A prerequisite for authentication is enrolment, in which the biometric features are saved as a personal reference either decentrally on a chip card or PC, or centrally in a data base. Since the quality of the enrolment essentially determines the performance of the authentication, it must be implemented carefully. It is obvious that enrolment must take place in a trustworthy environment.
During an authentication, a new scanning of the biometric characteristic is required. This time it is not saved; instead, it is compared to the biometric reference(s). If the comparison shows sufficient similarity, for example, access to the appropriate applications can be granted.
Most biometric systems show the following procedure in detail:

Capturing a data set (e.g., image or sound, called biometric sample) which includes the biometric features to be extracted using an appropriate biometric capture device incl. the sensor

Examination of the data quality; if it is insufficient, the data are rejected immediately or appropriate user guidance is given how to improve the quality

Extraction of the desired biometric features from the biometric sample

For enrolment: Storage of the biometric features as a biometric reference in the "reference archive"

For authentication: Comparison of the actual (request) biometric features with the biometric reference using a "comparator" and generation of a score value which determines the degree of coincidence

For authentication: Exceeds the score value a predetermined threshold, access is granted, otherwise the request is rejected

Q. What are the advantages of using a combination of chip card and biometrics?

In authentication, possession of a chip card combined with biometric methods may further increase reliability. Not only are biometric references saved on the chip card, but also identity data of the user. For authentication, chip card plus capturing of the biometric characteristic is required. The following advantages result:

entry of a user ID via keypad is unnecessary

no central data base storing references is necessary

compromisation of the biometric characteristic without the possession of the card is not critical

when using a chip card with an integrated crypto processor and biometric comparator, systems allowing possible compromisation by decrypting a readout are rendered nearly impossible.

if a normal chip card is stolen, it may be blocked and a new card issued. With a crypto card on the other hand, only the saved, non displayed secret key must be changed.

Still higher protection is achieved when using a crypto card which integrates biometric sensors in the card. This offers more effective protection against input of compromised data records, as this sensor cannot be externally intercepted when it is the only interface for the input of biometric data. Today's chip cards, however, don't yet offer the computational power required to extract the biometric sample's data directly on the card.

Q. What is "Template on Card"?

Regarding "Template on Card", a chip card stores the extracted biometric template as biometric reference electronically. There are different ways of realization:

The chip card is a simple memory card, the storage is done without encryption

These possibilities fulfill increasing security requirements with increasing order. In all cases it must be noticed the communication partners of the chip card codetermine the security of the whole system.

Q. How may a PC access control with "Template on Card" look like?

We consider the following implementation possibilities:

The chip card is a pure memory card, storage is unencrypted

During enrolment, a PC connected to a biometric sensor extracts the biometric features, and subsequently stores them as biometric reference on chip card. At verification, the access seeker inserts her chip card into the chip card reader and then her biometric characteristic is again scanned. The scanned biometric characteristic is then compared to the reference stored on the chip card at the PC. If the comparison exceeds a certain level of similarity, full clearance is granted to the network by sending the decrypted password (which is stored on the PC encrypted) from the PC to the server.

The chip card is a pure memory card, storage is encrypted.

See above. Additionally, however, decryption of the reference from the card is done on the PC or better yet on the server with a securely stored key. Alternatively, the comparison process should likewise occur on the server. Thereby, the current extracted biometric features are transmitted securely from the PC to the server.

The chip card is a processor card (smart card) with crypto function

The communication partners of the crypto card are a PC, a biometric sensor and a protected server. During a log-on trial, the crypto card and the server create a secured connection. The server retrieves the reference data from the crypto card. Simultaneously, the PC extracts the biometric features from the sensor's raw data (biometric sample) and sends them (potentially secured by a one-time key) to the server where it is compared to the card's biometric reference. If the comparison is positive, the PC grants access to the network drives.

Q. What is "Matcher on Card"?

Chip cards with integrated biometric comparator do not only store the reference, they also compare the biometric template with the incoming biometric features. For that reason the card needs an internal processor ("smartcard").

Q. What are the features of Matcher on Card?

Advantage against other solutions

Applications which use a PIN authentication on a smart card, may be extended to biometric authentication without changing the infra structure. Example: SIM card for mobile phones. Even in the case of a loss of the phone and/or the SIM card no unauthorized access to the net is to be feared.

As the reference template need not leave the card, more privacy is guaranteed - but only if the fingerprint acquisiton system is under full control of the user (example: cell phone).

Drawback

There is only limited processing power and memory space available on the smart card. This requires some compromises with regard to biometric recognition performance.